Good Morning Security Gang!
It’s Tuesday, September 30th, 2025, and welcome back to the CyberHub Podcast. Today’s show is jam-packed with major disruptions in manufacturing, record-breaking crypto seizures, insider threat attempts from ransomware gangs, legal settlements, critical VMware patches, a malicious NPM supply chain campaign, new Android banking malware, OT asset mapping challenges, looming U.S. government shutdown risks, and California’s new AI regulation law.
if you haven’t checked out the articles, you should 100% - don’t miss out on exclusive articles like “Breaking the Status Quo,” “The Unknowns of AI Adoptions,” and so much more exclusive content.
Espresso in hand, let’s get into it.
🍺 Asahi Beer Production Disrupted by Cyberattack
Japan’s Asahi Group Holdings, which controls nearly 40% of Japan’s beer market, announced it paused production at 30 domestic factories after a cyberattack crippled IT and OT systems. Orders, shipments, customer service, and call centers were all impacted. While Asahi hasn’t confirmed the nature of the attack, ransomware is the likely culprit.
“Look, I have a tolerance for cyber attacks. I do. But don’t mess with my favorite beer.” James Azar
With global brands like Peroni, Pilsner Urquell, and London Pride in its portfolio, the attack could ripple into international markets. As I joked on the show: “Don’t mess with my favorite beer.” But the serious point here is clear—manufacturing OT disruptions take weeks to recover, not days.
💰 UK Seizes $6.9B in Bitcoin Fraud Case
The UK police seized 61,000 Bitcoins—worth nearly $6.9B, the largest crypto seizure in history. Chinese national Zemin Qian pled guilty to running a fraudulent investment scheme that stole billions from 128,000 victims in China between 2014–2017. Using a fake passport, she fled to the UK, where police later discovered wallets tied to her scheme. Hopefully, some of these stolen funds will eventually be returned to victims.
📰 Medusa Ransomware Gang Tries to Recruit BBC Journalist
In a bizarre twist, Medusa ransomware operators reached out to BBC cybersecurity correspondent Joe Tidy on Signal, offering him a 15–25% ransom cut if he helped them breach the BBC by installing malware. Medusa has conducted more than 300 critical infrastructure attacks and is known for its double extortion methods. This case highlights the growing insider threat risk, with gangs directly targeting employees or trusted insiders to shortcut access.
🩸 OneBlood $1M Ransomware Settlement
OneBlood, a nonprofit blood supplier to 250 hospitals in four states, agreed to a $1M settlement after a 2024 ransomware attack compromised 170,000 individuals’ data. Impacted individuals can claim up to $2,500 for losses or take a flat $60 cash payment. This is another reminder that ransomware’s impact lingers long after initial response—in the courtroom and the balance sheet.
⚙ VMware Critical Patches
Broadcom released patches for six VMware vulnerabilities, including high-severity flaws in Aria Operations, NSX, vCenter, and VMware Tools. The most critical, CVE-2025-41244, is a privilege escalation bug. Another VMware Tools flaw could allow access to other guest VMs. Admins should patch immediately—VMware products remain a prime APT target.
📦 Malicious MCP Server in NPM
Security firm Koi discovered the first real-world malicious MCP server embedded in a trojanized NPM package, Postmark MCP v1.0.16. The rogue code quietly copied every email to the attacker’s server. This campaign shows how endpoint supply chain attacks are becoming one of the biggest enterprise risks today.
🧑🦳 New Android Banking Trojan Targets Seniors
ThreatFabric identified “Bro”, a new Android banking trojan distributed via fake Facebook groups for seniors promoting community trips and social activities. Once installed, the “Community App” can take over devices and perform fraudulent transactions. The campaign already hit users in Australia, Singapore, Canada, South Africa, Malaysia, and the UK. Attackers are also testing iOS distribution via TestFlight.
🏭 OT Asset Mapping Challenges
CISA, UK NCSC, and allied agencies issued new guidance for OT asset documentation, urging operators to catalog assets, connectivity, and risks. As I noted, in energy and OT sectors, this is a lifelong project—devices ping differently, some only once in months, making complete mapping extremely difficult. But without visibility, resilience is impossible.
“Some stuff pings every second, some stuff pings once a week, some stuff pings once a month, and some stuff pings once every 180 days. So mapping it is a lifelong project in some cases.” James Azar
🏛 U.S. Government Shutdown Looms – CISA at Risk
If Congress fails to pass a continuing resolution tonight, 65% of CISA’s workforce will be furloughed. With no confirmed director and major vulnerabilities active in the wild, the timing couldn’t be worse. Cyber risk doesn’t pause because politicians can’t agree.
“Cyber risk doesn’t pause because politicians can’t agree.” James Azar
🤖 California AI Regulation Law
California Governor Gavin Newsom signed a law requiring AI firms to implement and disclose safety protocols, report incidents within 15 days, and protect whistleblowers. Fines can reach $1M per violation. While the law aims to prevent catastrophic misuse of AI, critics argue this should be handled at the federal level, not piecemeal state legislation.
🧠 James Azar’s CISO Take
Today’s show really drives home the fragility of OT environments. Asahi halting beer production, JLR still down, and CISA urging OT mapping all highlight how difficult it is to protect systems built decades ago. Ransomware in OT isn’t just about downtime—it’s about weeks of disruption and national-level ripple effects.
The second theme is trust erosion. Medusa trying to bribe journalists, NPM hosting malicious MCP servers, and seniors being preyed on through fake social groups all show how adversaries are exploiting the human and process side of security. For CISOs, governance must extend beyond patching—into training, insider threat programs, and supply chain trust validation.
✅ Action Items
🍺 Review OT/IT segmentation and backups—manufacturing downtime = weeks, not days.
🔐 Patch VMware (Aria Ops, vCenter, NSX, VMware Tools) immediately.
📦 Audit NPM packages—watch for rogue MCP servers.
📰 Review insider threat policies—targeted recruitment attempts are real.
🩸 Monitor legal exposure—breach costs don’t end after IR.
📱 Educate seniors and vulnerable groups about app fraud.
🏭 Begin continuous OT asset mapping—it’s a journey, not a project.
🏛 Track CISA operations during shutdown—plan for reduced federal support.
🤖 Monitor California’s AI law, but prepare for federal regulation ahead.
That’s it for our show this morning. We’ll be back tomorrow at 9 AM Eastern live with the latest. No show on Thursday - it’s Yom Kippur, the Day of Atonement for us Jewish folk. Stay Cyber Safe!
